Bypass MYSQL Authentication CVE-2012-2122

Recently a serious vulnerability  inside mysql has been found. According to the advisory the following versions are affected - 5.5.23, 5.3.6, 5.2.12, 5.1.62. This is not a the first time authentication vulnerability has been found inside mysql, However the developers fail to protect it.

So what was the fault?, How and why is mysql authentication affected. According to researchers the mysql authentication was checked for wrong password 255 times out of 256. Which means that one in 256 passwords might let you in.
In order to exploit this vulnerability, it takes just this piece of the code to be injected:

$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done mysql> 


"When a user connects to MariaDB/MySQL, a token (SHAover a password and a random scramble string) is calculated and comparedwith the expected value. Because of incorrect casting, it might've happened that the token and the expected value were considered equal,even if the memcmp() returned a non-zero value. In this caseMySQL/MariaDB would think that the password is correct, even while it isnot. Because the protocol uses random strings, the probability ofhitting this bug is about 1/256."


"Which means, if one knows a user name to connect (and "root" almostalways exists), she can connect using *any* password by repeatingconnection attempts. ~300 attempts takes only a fraction of second, so basically account password  protection is as good as nonexistent.Any client will do, there's no need for a special libmysqlclient library."


CounterMeasures

Patch your MySQL or MariaDB installations if you haven't already.

Demonstrations

-      ¤®ä冤